Gallery

In a variation on a recently seen theme in which scammers pose as buyers on e-commerce platforms, victims in Singapore are being taken in by people offering to buy goods from them.

Carousell is a popular (and legitimate) Singapore-based consumer-to-consumer and business-to-consumer platform on which people can buy and sell both new and second-hand goods. The contact message from the scammer typically reads something like this: “I would like to pay for an item via FedEx. It’s easy. I will need your phone number to place the order, now I will send you a link to receive funds for the goods, you confirm the transaction and receive the money for the goods,” etc.

The link to “receive funds” is malicious, designed to harvest the victim’s banking credentials. The victims have been realizing something is amiss only after they find unauthorized transactions on their accounts. The Singapore Police urge anyone with information about the scam, whether they’re victims or witnesses, to call the police hotline or report what they know online. So far people have lost more than S$17,000 to the scammers.

This is a scam directed against consumers, but it’s not difficult to see how similar approaches might be made to employees of a business, especially of business-to-consumer firms whose transactions include trading over e-commerce platforms. New school security awareness training can help your employees spot scams like the ones currently taking a ride on Carousell.

Plenty of new anecdotal and legal case-based stories are demonstrating that just because your organization has a policy doesn’t mean it’s actually going to pay out after an attack.

In a recent article over at Business Insurance, an interesting topic was raised about how phishing scams, which remaining a continual exposure for most organizations – seem to fall through the cracks of policy coverage. From the article:

Phishing coverage falls into a gap between cyber liability insurance, which typically responds to breaches, and crime policies, which cover money stolen from companies.

One of the reasons seems to be that cyber insurance policies are written to cover the insured should a particular crime (e.g., wire fraud) or action (e.g., data breach) be committed, as these result in significant impacts on the victim organization. But phishing, in and of itself, is merely the conduit for something more sinister, so it’s difficult to tie it into a policy.

Take the example of a user getting phished, falling for the attack and clicking on the link or the attachment… but nothing else happens – no malware, malicious download or script, nothing. This is a far cry from when a claim is made against a cyber insurance policy because hundreds of thousands of dollars were sent to the wrong bank.

See the difference?

The Business Insurance article is worth a read. It will get you thinking about how the organization needs to take matters into its’ own hands and put a stop to phishing – as the cyber insurance policy probably isn’t going to do much to assist after the fact. It’s one of the reasons we’re so passionate about organization having a layered security approach to stopping phishing attacks that includes Security Awareness Training to empower users to assist in detecting and stopping attacks before they become “claim-worthy.”

Reaching a six-quarter high in Q2, hybrid vishing attacks have increased six times that of the hybrid-vishing attacks experienced in Q1 2021.

Vishing attacks – those that leverage voice calls as some part of the overall attack – have been in the news lately. With nearly half of organizations experiencing vishing attacks, this should come as no surprise. These response-based attacks (that is, an attack that requires the corporate user to interact) have been continually growing, according to the Q2 2022 Cyber-Intelligence Report from security vendor Agari.

According to the report, hybrid vishing attacks have jumped 625% since they started recording the presence of these attacks in Q1 2021.

Source: Agari

We’ve covered some examples of hybrid vishing attacks before, such as the fake Amazon order confirmation email that requires the victim to call “Amazon” if the recipient has a problem (with the $1000 flat screen TV they’re being told they bought).

Hybrid Vishing started with BazarCall, a spinoff of the Conti Ransomware gang. It’s cross-medium tactics actually help the cybercriminal establish credibility, making it more likely that recipients may fall victim to the scam, giving up personal details, credit card information, credentials, and more.

Users that undergo continual Security Awareness Training are taught to spot these kinds of scams – regardless of their believability or sophistication – and not respond, rendering these attacks dead in their tracks.

Researchers at AdvIntel warn that three more ransomware groups have begun using the BazarCall spear phishing technique invented by the Ryuk gang (a threat group that subsequently rebranded as Conti). BazarCall callback phishing allows threat actors to craft much more targeted social engineering attacks designed for specific victims. The researchers outline the four stages of this technique:

“Stage One. The threat actor sends out a legitimate-looking email, notifying the target that they have subscribed to a service for which payment is automatic. The email gives a phone number that targets are able to call to cancel their subscription.
“Stage Two. The victim is lured into contacting a special call center. When operators receive a call, they use a variety of social engineering tactics, to convince victims to give remote desktop control, ostensibly to help them cancel their subscription service.
“Stage Three. Upon accessing the victim’s desktop, a skilled network intruder silently entrenches into the user’s network, weaponizing legitimate tools that were previously typical of Conti’s arsenal. The initial operator remains on the line with the victim, pretending to assist them with the remote desktop access by continuing to utilize social engineering tactics.
“Stage Four. In the final stage of BazarCall, the initiated malware session yields the adversary access as an initial point of entry into the victim’s network. This initial access is then used and exploited in order to target an organization’s data.”
The researchers conclude that more ransomware actors will likely incorporate this technique into their own attacks.

“Since its resurgence in March earlier this year, call back phishing has entirely revolutionized the current threat landscape and forced its threat actors to reevaluate and update their methodologies of attack in order to stay on top of the new ransomware food chain,” AdvIntel says.

“Other threat groups, seeing the success, efficiency, and targeting capabilities of the tactic have begun using reversed phishing campaigns as a base and developing the attack vector into their own. This trend is likely to continue: As threat actors have realized the potentialities of weaponized social engineering tactics, it is likely that these phishing operations will only continue to become more elaborate, detailed, and difficult to parse from legitimate communications as time goes on.”

Conti as such may no longer be an active brand, but its operators haven’t retired. New-school security awareness training can teach your employees to thwart evolving social engineering tactics.

Cisco has disclosed a security incident that occurred as a result of sophisticated voice phishing attacks that targeted employees, according to researchers at Cisco Talos. The researchers believe the attack was carried out by an initial access broker with the intent of selling access to the compromised accounts to other threat actors.

“On May 24, 2022, Cisco identified a security incident targeting Cisco corporate IT infrastructure, and we took immediate action to contain and eradicate the bad actors,” Cisco said in a statement. “In addition, we have taken steps to remediate the impact of the incident and further harden our IT environment. No ransomware has been observed or deployed and Cisco has successfully blocked attempts to access Cisco’s network since discovering the incident.

Cisco did not identify any impact to our business as a result of this incident, including no impact to any Cisco products or services, sensitive customer data or sensitive employee information, Cisco intellectual property, or supply chain operations. On August 10 the bad actors published a list of files from this security incident to the dark web.”

Cisco Talos explains that the attackers first gained access to Cisco’s networks after hacking an employee’s personal Google account, then stole the employee’s Cisco passwords via Google Chrome’s password syncing feature. The attackers then used various social engineering tactics to expand their access.

“After obtaining the user’s credentials, the attacker attempted to bypass multifactor authentication (MFA) using a variety of techniques, including voice phishing (aka “vishing”) and MFA fatigue, the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving,” Cisco Talos says.

“Vishing is an increasingly common social engineering technique whereby attackers try to trick employees into divulging sensitive information over the phone. In this instance, an employee reported that they received multiple calls over several days in which the callers – who spoke in English with various international accents and dialects – purported to be associated with support organizations trusted by the user.”

New-school security awareness training can teach your employees to follow security best practices so they can thwart social engineering attacks.

Cyberattacks via SMS messaging are on the rise, and are having such an impact, the Federal Communications Commission has released an advisory on Robotext phishing attacks (or smishing).

According to Verizon’s 2022 Mobile Threat Index, 45% of organizations have suffered a mobile compromise in 2022 – that’s double the % of orgs in 2021. If you’re wondering if it’s purely a shift in tactics on the cybercriminal’s part, think again. According to Verizon:

• 58% of orgs have more users using mobile devices than the prior 12 months
• Mobile users in 59% of orgs are doing more today with their mobile device than the prior 12 months
• Users using mobile devices in 53% of orgs have access to more sensitive data than a year ago

And keep in mind that while there are plenty of security solutions designed to secure mobile endpoints, we’re talking about personal devices that are used as a mix of corporate and personal life. This makes for a very unprotected target by cybercriminals.

So, it shouldn’t come to any surprise that the FCC has put out an advisory warning about the increased use of robotexting-based phishing scams targeting mobile users, commonly called ‘smishing’.

Some of their warning signs include:

• Unknown numbers
• Misleading information
• Misspellings to avoid blocking/filtering tools
• 10-digit or longer phone numbers
• Mysterious links
• Sales pitches
• Incomplete information

We’ve seen smishing scams impersonating T-Mobile, major airlines, and even the U.K. Government. So consumers and corporate users alike need to be aware of the dangers of text-based phishing attacks – something reinforced through continual Security Awareness Training.

If you’re a Coinbase user, you are most likely the next target of a new phishing campaign. Cybercriminals have managed to infiltrate two-factor authentication and deploying other social engineering strategies with the crypto currency exchange platform.

Researchers at PXIM Software have found that the attacks are spoofing Coinbase to trick users into logging in. Once logged in, the threat actors record the login credentials and use the information to drain funds and defraud users of their crypto balances.

In a blog post the Research team stated the following, “They will typically distribute these funds through a network of ‘burner’ accounts in an automated fashion via hundreds or thousands of transactions, in an effort to obfuscate the original wallet from their destination wallet,”

It is very import for your users to spot any potential warning signs from a suspicious email. New-school security awareness training can educate your users on how to spot red flags and report any malicious activity in their day-to-day operations.

Communications giant Twilio has confirmed hackers accessed customer data after successfully tricking employees into handing over their corporate login credentials.

The San Francisco-based company, which allows users to build voice and SMS capabilities — such as two-factor authentication — into applications, said in a blog post published Monday that it became aware that someone gained “unauthorized access” to information related to some Twilio customer accounts on August 4.

Twilio said since the attack, it has revoked access to the compromised employee accounts and has increased its security training to ensure employees are on “high alert” for social engineering attacks. The company said it has begun contacting affected customers on an individual basis. Full story at TechCrunch.

We’re accustomed to social engineering being used for credential theft and business email compromise. We’re also accustomed to hearing about the increase in remote work during the pandemic, and how that has expanded organizations’ attack surface.

But another round of deception, of social engineering, is now afflicting the hiring process itself. North Korean threat actors are poaching LinkedIn and Indeed profiles to secure jobs working remotely at cryptocurrency companies.

North Korea has long used cybercrime as a tool of state policy, seeking to redress, through theft, the effects of worldwide sanctions on its economy. Remote work for cryptocurrency companies is attractive for a variety of reasons. Citing research by Mandiant that follows up and confirms a warning the US Government issued in May, Bloomberg reports:

“According to the Mandiant researchers, by collecting information from crypto companies, North Koreans can gather intelligence about upcoming cryptocurrency trends. Such data – about topics like Ethereum virtual currency, nonfungible tokens and potential security lapses – could give the North Korean government an edge in how to launder cryptocurrency in a way that helps Pyongyang avoid sanctions, said Joe Dobson, a principal analyst at Mandiant.

“‘It comes down to insider threats,’ he said. ‘If someone gets hired onto a crypto project, and they become a core developer, that allows them to influence things, whether for good or not.’”

Some of the attempts have been successful.

“Mandiant researchers said they had identified multiple suspected North Korean personas on employment sites that have successfully been hired as freelance employees. They declined to name the employers.

“‘These are North Koreans trying to get hired and get to a place where they can funnel money back to the regime,’ said Michael Barnhart, a principal analyst at Mandiant.”

This is worker-side deception, in which North Korean operators pose as coders looking for remote work they can use for either direct theft or espionage. There’s a corresponding North Korean employer-side deception in which the Lazarus Group and related DPRK threat groups put up websites that impersonate well-known companies, and on which they post bogus job offers. Bloomberg cites research by Google that identified a North Korean-produced site that impersonated the employment service Indeed.com.

“Other fake domains, created by suspected North Korean operators, impersonated ZipRecruiter, a Disney careers page and a site called Variety Jobs, according to Google.” The goal of these attempts is to induce marks to submit personal and professional information that can be used to either socially engineer the victims, or else to enable DPRK intelligence services to impersonate those victims in other campaigns.

So don’t neglect HR and recruiting in your security training, and keep an eye out for attempts to impersonate your public-facing websites. New-school security awareness training can teach your people how to recognize social engineering tactics, whether they’re worker-side or employer-side.

A complex and ambitious investment scam has used more than 10,000 domains to induce speculators to give up not just funds, but personal information as well. Researchers at security firm Group-IB describe the campaign as one that proceeds through several distinct stages. It begins with ads placed in social media, or with pages displayed in compromised Facebook or YouTube accounts.

The come-on invites prospects to learn more about an investment opportunity, enticing them with bogus celebrity endorsements and (always a warning sign) promises of guaranteed returns. Should the prospect click through to learn more, they find that, for an initial investment of just €250 (roughly $255 USD), they’ll receive a personal investment counselor who will guide them through the process. And they’ll also receive a dashboard they can use to track their investment’s progress.

The scam follows a well-established set of steps:

1. The bogus come-on is published on social media.
2. The victim is taken to a phony investment website.
3. The victim enters personal information in a form on the scam site.
4. A call center contacts the victim, offering more information about the fraudulent investment prospectus.
5. The victim, after providing more information, is given a login to a site that offers a dashboard of general investment performance.
6. The victim makes an initial deposit of €250, and receives an individualized dashboard showing their own investment’s performance (the information displayed there is bogus).
7. The victim is urged to invest more money. If the victim asks to cash out, the victim is told more needs to be invested to reach the cash out threshold. This continues until the victim is eventually disillusioned.

The malicious domains–some 5000 of which, Group-IB reports, are still in use–have been employed in a campaign that’s affected victims in Belgium, the Czech Republic, Germany, the Netherlands, Norway, Poland, Portugal, Sweden, and the United Kingdom.

What are some of the red flags? Two stand out in particular: the promise of a guaranteed return, and the assignment of a personal investment counselor to a small investor. The amounts taken initially aren’t large, but the scammers make up for this in volume.

The complex, multistage approach can persuade some who might pride themselves on their resistance to scams. New-school security awareness training focused on social engineering, however, can help inoculate people against this sort of caper by exposing them to it in a convincing yet safe way before they encounter it for real.